DISQUS

And the benefit of using this instead of a firewall is what? That anyone who wants to can circumvent it? That doesn't seem like a very useful idea to me...Especially since you're still relying on being able to identify bad traffic going through the proxy.

P.S. IDS' suck.

And the benefit of using this instead of a firewall is what? That anyone who wants to can circumvent it? That doesn't seem like a very useful idea to me...Especially since you're still relying on being able to identify bad traffic going through the proxy.

P.S. IDS' suck.

I don't know of them (I audit code, I try to avoid writing it), but my point was merely that it's not inherently a good idea; if there is nowhere that these kind of libraries exist, then the discussion of the fact is irrelevant because they have no other choice, but if there is then it's merely a trade-off rather than something to be held up as something people should be doing.

I don't know of them (I audit code, I try to avoid writing it), but my point was merely that it's not inherently a good idea; if there is nowhere that these kind of libraries exist, then the discussion of the fact is irrelevant because they have no other choice, but if there is then it's merely a trade-off rather than something to be held up as something people should be doing.

If you mandate that everyone on your security team needs to be a programmer, you're not going to end up with an elite security team, you're going to end up with a team of developers who know something about security. Now, security people (especially application security people) must be able to code, but this isn't the same thing as them needing to be programmers. Security researchers are security researchers because they want to attack stuff, not because they want to code, if they wanted to code they'd be programmers already.

Also, writing all your own security libraries is not inherently a good idea because you lose the benefit of the fact that many eyes can look at and review the code to help improve it, of course so can bad guys, and google is a pretty attractive target, but it's a trade-off not something inherently good about Google's policy.

Furthermore, while peer review is good, it should also be reviewed by the security team because that's why you have them; because you know developers probably don't know as much about security as the security team. OF course they have less security people than developers, so getting devs to review code makes sense.

Also, throwing all the attacks they've ever seen against their code is a stupid idea, let me explain why:
- You need to be able to differentiate between what an attack is and what isn't. The fact that IDS' and IPS' suck so much illustrates how hard of a problem this itself is. And if someone's got an attack that's interesting enough that the security team can learn from it, they've probably got a bunch of ways to evade the IDS that Google is using. And the best case is that you can find known attack variants, all of which the google security team should already know about, and they should keep a database of those, rather than the junk they get sent.
- Throwing stuff blindly at apps is what a fuzzer does, and we already know that fuzzers don't find all the bugs, and on top of that with many non-memory corruption issues it is much more difficult to determine whether an attack was successful or not because there is no crash to notice and debug.

So in conclusion while I'm sure Google's security team is good, what you've described here doesn't necessarily make it so, though I guess it probably does make them unique.

If you mandate that everyone on your security team needs to be a programmer, you're not going to end up with an elite security team, you're going to end up with a team of developers who know something about security. Now, security people (especially application security people) must be able to code, but this isn't the same thing as them needing to be programmers. Security researchers are security researchers because they want to attack stuff, not because they want to code, if they wanted to code they'd be programmers already.

Also, writing all your own security libraries is not inherently a good idea because you lose the benefit of the fact that many eyes can look at and review the code to help improve it, of course so can bad guys, and google is a pretty attractive target, but it's a trade-off not something inherently good about Google's policy.

Furthermore, while peer review is good, it should also be reviewed by the security team because that's why you have them; because you know developers probably don't know as much about security as the security team. OF course they have less security people than developers, so getting devs to review code makes sense.

Also, throwing all the attacks they've ever seen against their code is a stupid idea, let me explain why:
- You need to be able to differentiate between what an attack is and what isn't. The fact that IDS' and IPS' suck so much illustrates how hard of a problem this itself is. And if someone's got an attack that's interesting enough that the security team can learn from it, they've probably got a bunch of ways to evade the IDS that Google is using. And the best case is that you can find known attack variants, all of which the google security team should already know about, and they should keep a database of those, rather than the junk they get sent.
- Throwing stuff blindly at apps is what a fuzzer does, and we already know that fuzzers don't find all the bugs, and on top of that with many non-memory corruption issues it is much more difficult to determine whether an attack was successful or not because there is no crash to notice and debug.

So in conclusion while I'm sure Google's security team is good, what you've described here doesn't necessarily make it so, though I guess it probably does make them unique.

I'm not going to pitch for WhiteHat or F5, but the reason this single PCI requirement has been targeted is because it is the only one which relates to web applications, and WhiteHat is a webappsec company.

I'm not going to pitch for WhiteHat or F5, but the reason this single PCI requirement has been targeted is because it is the only one which relates to web applications, and WhiteHat is a webappsec company.

I've already given up on Firefox security; they're both equally bad these days (both in terms of actual PR and security bullshit), and the only thing keeping Firefox users safer is the same thing keeping Mac users safer than Windows users; obscurity.

So while I'll continue to use Firefox, I'm not using it for the core browser itself, but rather the useful extensions which exist for it that I utilise.

I've already given up on Firefox security; they're both equally bad these days (both in terms of actual PR and security bullshit), and the only thing keeping Firefox users safer is the same thing keeping Mac users safer than Windows users; obscurity.

So while I'll continue to use Firefox, I'm not using it for the core browser itself, but rather the useful extensions which exist for it that I utilise.

Correlation in no way proves causation, so all these studies seem pretty irrelevant. And anyway, the idea that being wealthier causes people to become more secular seems more probable than vice versa simply due to the fact that when things are going well we rarely bother to ask for explanations, yet when things are not going well for us, we usually try to assign blame as much as possible.

Correlation in no way proves causation, so all these studies seem pretty irrelevant. And anyway, the idea that being wealthier causes people to become more secular seems more probable than vice versa simply due to the fact that when things are going well we rarely bother to ask for explanations, yet when things are not going well for us, we usually try to assign blame as much as possible.

Except Operating Systems these days only get slower and use more system resources for things that I don't care about, such as pretty interfaces.

So seeing as (from my point of view) operating Systems aren't getting any better, since they're just adding eye candy and (primarily) things which have no value to me, OS upgrades are pretty irrelevant.

Except Operating Systems these days only get slower and use more system resources for things that I don't care about, such as pretty interfaces.

So seeing as (from my point of view) operating Systems aren't getting any better, since they're just adding eye candy and (primarily) things which have no value to me, OS upgrades are pretty irrelevant.

On one hand, I completely agree that US foreign policy is not helping, and think that Paul is spot on with what needs to be done, I don't think that a change in foreign policy will solve all your problems, for two reasons:

<ol>
<li>

You've already done a crapload of damage to yourselves in the last 4 years. And simply pulling out is not going to stop the hatred/anger people feel towards you.

</li>
<li>

At best, if all of a sudden everyone who did not hate the US pre-Iraq, stopped hating the US, your problem would still not be solved, since the people recruiting the people who hate the US to become terrorists, do actually "hate your way of life" (as so many of your presidential candidates put it), in that, they want to institute Sharia law around the world. These people are not going to go away - they're steady stream of supporters may dwindle, but they can feed people misinformation to get them angry.

</li>
</ol>

Anyway, all I wanted to say is that pulling out of Iraq and mending your foreign policy, having free & open trade with everyone, etc, as Ron Paul wants, is not going to solve all your problems.

On one hand, I completely agree that US foreign policy is not helping, and think that Paul is spot on with what needs to be done, I don't think that a change in foreign policy will solve all your problems, for two reasons:

<ol>
<li>

You've already done a crapload of damage to yourselves in the last 4 years. And simply pulling out is not going to stop the hatred/anger people feel towards you.

</li>
<li>

At best, if all of a sudden everyone who did not hate the US pre-Iraq, stopped hating the US, your problem would still not be solved, since the people recruiting the people who hate the US to become terrorists, do actually "hate your way of life" (as so many of your presidential candidates put it), in that, they want to institute Sharia law around the world. These people are not going to go away - they're steady stream of supporters may dwindle, but they can feed people misinformation to get them angry.

</li>
</ol>

Anyway, all I wanted to say is that pulling out of Iraq and mending your foreign policy, having free & open trade with everyone, etc, as Ron Paul wants, is not going to solve all your problems.

Umm, surprise? Almost everyone in security is simply a monkey who has read some books/materials, and applies what they know. Even those who are pen testing applications rather than networks are doing pretty much the same thing - they know what kind of bugs are present in applications, so they try to find them.

But then again, doctors are pretty much monkeys as well, highly trained monkeys, yes, but monkeys nonetheless. So I don't really see your point.

Umm, surprise? Almost everyone in security is simply a monkey who has read some books/materials, and applies what they know. Even those who are pen testing applications rather than networks are doing pretty much the same thing - they know what kind of bugs are present in applications, so they try to find them.

But then again, doctors are pretty much monkeys as well, highly trained monkeys, yes, but monkeys nonetheless. So I don't really see your point.

Google already has Orkut - why would they go to the trouble of creating a new system?

Google already has Orkut - why would they go to the trouble of creating a new system?

Its not that I disagree with his tazering, he was resisting arrest, I disagree with the police's right to arrest him in the first place. And as such, just as resisting arrest would count against the victim, the escalation of force should count against the police if they are ever brought to account.

How exactly was he out of line? Asking uncomfortable questions? Not shutting up because the police want you to? If that's your definition of out of line, well, its only a few steps from there to thought crime.

Doesn't the US have constitutionally protected Free Speech? To me this would seem simply illegal. But IANAL, so maybe I'm wrong. If it is illegal, I would really like to see heads roll over this, and any similar incidents to illustrate to law enforcement the seriousness of this issue, if its not, I think there needs to be a revision in the laws.....

Its not that I disagree with his tazering, he was resisting arrest, I disagree with the police's right to arrest him in the first place. And as such, just as resisting arrest would count against the victim, the escalation of force should count against the police if they are ever brought to account.

How exactly was he out of line? Asking uncomfortable questions? Not shutting up because the police want you to? If that's your definition of out of line, well, its only a few steps from there to thought crime.

Doesn't the US have constitutionally protected Free Speech? To me this would seem simply illegal. But IANAL, so maybe I'm wrong. If it is illegal, I would really like to see heads roll over this, and any similar incidents to illustrate to law enforcement the seriousness of this issue, if its not, I think there needs to be a revision in the laws.....

Thomas:
I have no clue, I'm just saying that Robert seemed to be more worried about Google leaning on filters.

"does blogspot.com appear in anti-phishing blacklists?"

All the phishing site details that I found (google search for site:phishtank.com -inurl:user.php blogspot)on phish tank (except for one) had no vote details, since they were all offline, and so phishtank didn't display any info. That one was voted as not a phish: http://www.phishtank.com/phish_detail.php?phish... even though the screenshot clearly shows it was (It now hosts ads for viagra or something).

I can't get any data from Google using their Safe Browsing API, since that sends only hashes.

"And don’t they work by knowing that Bank of America doesn’t live at gmodules.com?"

They 'work' (though whether they work or not is arguable) by someone entering a URL into a blacklist, the user never knows why its marked as a phishing site, by who, etc.

"Why does Google care if their domain is listed as “not Bank of America”?"

As I said above, the user doesn't get told that, they just get told the site is bad, obviously this would cause the user to lose trust in Google (or at least I think that's the assumption)

"And is there any evidence that Google has leaned on anyone to keep gmodules.com off any legitimate list?"

Well, it hasn't really been utilised yet afaik, so there's nothing really to lean on.



Anyway, I'm not the person to ask, ask Robert, he was the one who made those claims, not me, I'm just as curious and sceptical myself.

I disagree with RSnake's view on this, but I think you're presenting this unfairly.

As he sees it, Google is going to lean on anyone who blacklists a Google URL as a phishing page:

"the answer is they would be far more likely to put their credentials in that site because the anti-phishing lists will never blacklist Google’s domains (per Google’s request). It’s far more difficult to put your username and password on a site that your browser is telling you is a phishing site." - RSnake

Now, while I don't know of any precedent for thinking this, its not something I'd be shocked at. And if they do start doing this, I'd be fairly pissed off, but I think they still have an opportunity to redeem themselves here.

Essentially, its the same thing as the redirect issues he's been talking about for a while - users are stupid, and don't understand the web, *shrug*, maybe they are, maybe they aren't, but all the people getting phished point to "they are".

I can accept (and personally believe) the premise that we are simply highly complex deterministic machines, etc, though I have no real evidence on which to do so, so I'm not about to start saying I'm right.

Anyway; I don't think the fact that we are deterministic systems needs to stop us acting as we do presently, but we simply need to ask different questions of ourselves, e.g. instead of asking "Is this worthy of praise", ask "Would my praising this work positively influence the system", you'd probably still have to make a value judgement though, because you don't want to praise something useless, since that would not help the system, etc.

And even though I think we're just responding to stimuluses, we still need to provide stimulus to those around us, e.g. no matter whether a person had no choice but to rob a bank, if you stopped persecuting people, more people would rob banks. So long as we accept that the justice system has nothing to do with justice, but rather exists as a deterrent, nothing really needs to change.

So as I see it, everything can go on as it is, we just need accept that things are deterministic, and therefore not take things personally.

Oh, and regarding the fact that "we forfeit the ability to heap praise on the virtuous or scorn on the wicked", well, not really, since praise of virtuous actions increases the likelihood of more, and scorn of wicked actions decreases the likelihood of wicked actions.